javascript 使用不带引号的键安全地解析 JSON 字符串
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4210160/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Safely parsing a JSON string with unquoted keys
提问by daepark
json2.jsis strict requiring all object keys be double-quoted. However, in Javascript syntax {"foo":"bar"}is equivalent to {foo:"bar"}.
json2.js严格要求所有对象键都用双引号引起来。但是,在 Javascript 语法{"foo":"bar"}中等效于{foo:"bar"}.
I have a textarea that accepts JSON input from the user and would like to "ease" the restriction on double quoting the keys. I've looked at how json2.js validates a JSON string in four stages before it evals it. I was able to add a 5th stage to allow unquoted keys and would like to know if there are any security implications to this logic.
我有一个 textarea 接受来自用户的 JSON 输入,并希望“放宽”对双引号键的限制。我已经查看了 json2.js 如何在对 JSON 字符串进行评估之前分四个阶段验证它。我能够添加第 5 个阶段以允许不带引号的键,并想知道此逻辑是否存在任何安全隐患。
var data = '{name:"hello", age:"23"}';
// Make sure the incoming data is actual JSON
// Logic borrowed from http://json.org/json2.js
if ( /^[\],:{}\s]*$/.test(data.replace(/\(?:["\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")
.replace(/"[^"\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
.replace(/(?:^|:|,)(?:\s*\[)+/g, ":") // EDITED: allow key:[array] by replacing with safe char ":"
/** everything up to this point is json2.js **/
/** this is the 5th stage where it accepts unquoted keys **/
.replace(/\w+\s*\:/g, ":")) ) { // EDITED: allow any alphanumeric key
console.log( (new Function("return " + data))() );
}
else {
throw( "Invalid JSON: " + data );
}
回答by Anthony Corbelli
data.replace(/(['"])?([a-zA-Z0-9]+)(['"])?:/g, '"":');
That will replace any single quotes on the parameter name, and add any that are missing.
这将替换参数名称上的任何单引号,并添加任何缺少的单引号。
回答by daepark
I thought it would be helpful to have actual test cases to flush out any issues with this implementation. I've added a github project called JSOL with some tests. Please fill free to add to it and find issues. Thanks.
我认为拥有实际的测试用例来解决此实现的任何问题会很有帮助。我添加了一个名为 JSOL 的 github 项目,并进行了一些测试。请填写免费添加到它并发现问题。谢谢。
回答by Inigo
Use JSON5.parse
利用 JSON5.parse
JSON5is a superset of JSON that allows ES5 syntax, including unquotedproperty keys. The JSON5 reference implementation (json5npm package) provides a JSON5object that has the same methods with the same args and semantics as the built-in JSONobject.
JSON5是 JSON 的超集,它允许使用 ES5 语法,包括不带引号的属性键。JSON5 参考实现(json5npm 包)提供了一个JSON5对象,该对象具有与内置JSON对象相同的方法和相同的参数和语义。
回答by mattbasta
JSON does not allow unquoted keys. JSON is a subset of JavaScript notation, and that does not include unquoted keys. Passing unquoted keys to just about any JSON parser will likely throw an error or return "unexpected" results.
JSON 不允许不带引号的键。JSON 是 JavaScript 符号的一个子集,不包括未加引号的键。将未加引号的键传递给几乎任何 JSON 解析器都可能会引发错误或返回“意外”结果。
Hope this helps
希望这可以帮助
